Exposing government secrets for public good has long been the mission of journalists and investigative reporters; more recently, cyber criminals and political adversaries have sought to expose the inner workings of the state, often for their own reasons.
Now, governments themselves are opening up the closet door, and even spy agencies are sharing their secrets.
Why a country’s secret service would release one of its own spy tools as open source software remains a bit of an unanswered question, but Canada has done so. The country’s cyber security agency is the latest to make public some of the weapons it developed to fight cyber crime, as have spy agencies in the U.K. (GCHQ’s CyberChef) and (perhaps inadvertently in the case of the NSA’s Vault 7 toolkit) in the States.
The Government of Canada Communications Security Establishment (CSE) has released what it calls AssemblyLine, an open source software platform for analyzing computer files in the hunt for malicious, potentially destructive, code that’s hidden inside.
AssemblyLine helps automate and customize the search for harmful files, helping IT security people quickly identify uninfected files and let them focus their energy on fighting the most harmful ones.
As such, the tool is valuable for system admins and security ops dealing with large volumes of valuable files, such as banks and other financial firms.
AssemblyLine also has value for small- and medium-sized businesses by allowing them to better protect their data from theft and compromise, the CSE described in a press statement announcing the software’s release.
“The release of AssemblyLine to businesses, security researchers, industry and academia … benefits the country and CSE’s work to protect Canadian systems, and allows the cyber security community to build and evolve this valuable open-source software,” the CSE said. “The public release of AssemblyLine enables malware security researchers to focus their efforts on creating new methods to detect malicious files.”
Scott Jones heads up the IT security team at CSE; he says that in addition to the protection and prevention capabilities that AssemblyLine can bring, its release is also intended to open the doors on his agency, and let Canadians get a better look at what goes into protecting our digital infrastructure.
With in-house development stretching over a long and interesting period of time (in terms of Internet in-security), the software is now a tried-and-tested tool to locate and defeat harmful code. It’s written in the Python programming language, it uses no commercial technology, and it can run on a single PC or a networked cluster, the CSE explained.
Now, there’s a distinct possibility that CSE’s own tool could be turned against it, and somehow used to detect software that’s used by government or law enforcement for its own purposes. It’s happened before.
But Jones does not seem worried. “Whatever it detects, whether it be cybercrime or [nation] states, or anybody else that are doing things — well that’s a good thing, because it’s made the community smarter in terms of defence.
“We believe that the benefits far outweigh any risks and that we can still use this to be ahead of the threat that’s out there.”
AssemblyLine is available for download on BitBucket; there’s lots of documentation available, and users are encouraged to modify the software to fit their own needs.
In fact, CSE analysts and IT reps are taking their show on the road, as it were, and in a series of presentations to the country’s IT and security community, they are describing and demonstrating the software.
Steve Garon, an IT analyst at CSE, is the lead developer for AssemblyLine; John O’Brien is a Senior Technical Advisor at CSE, working for the organization’s Cyber Defence program.
At IT security industry events like Countermeasure, they’ve described the platform’s User Interface and shown how API’s can be used to extend and enhance its ability to perform data analytics at huge scales when needed, in order to detect and analyze malicious files as a way to neutralize their impact.
The analysts describe the AssemblyLine process like a big conveyor belt: running specific apps, it can search through multiple files. Every file is scored as to its potential threat level, and analysts can sort out older, more familiar threats from the seemingly endless stream of new attacks that typically require more attention and analysis.
The software is available for download from BitBucket, an open-source software repository.